.TH "seccomp_export_bpf" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
.\" //////////////////////////////////////////////////////////////////////////
.SH NAME
.\" //////////////////////////////////////////////////////////////////////////
seccomp_export_bpf, seccomp_export_pfc \- Export the seccomp filter
.\" //////////////////////////////////////////////////////////////////////////
.SH SYNOPSIS
.\" //////////////////////////////////////////////////////////////////////////
.nf
.B #include <seccomp.h>
.sp
.B typedef void * scmp_filter_ctx;
.sp
.BI "int seccomp_export_bpf(const scmp_filter_ctx " ctx ", int " fd ");"
.BI "int seccomp_export_pfc(const scmp_filter_ctx " ctx ", int " fd ");"
.BI "int seccomp_export_bpf_mem(const scmp_filter_ctx " ctx ", void *" buf ", size_t *" len ");"
.sp
Link with \fI\-lseccomp\fP.
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH DESCRIPTION
.\" //////////////////////////////////////////////////////////////////////////
.P
The
.BR seccomp_export_bpf ()
and
.BR seccomp_export_pfc ()
functions generate and output the current seccomp filter in either BPF (Berkeley
Packet Filter) or PFC (Pseudo Filter Code).  The output of
.BR seccomp_export_bpf ()
is suitable for loading into the kernel, while the output of
.BR seccomp_export_pfc ()
is human readable and is intended primarily as a debugging tool for developers
using libseccomp.  Both functions write the filter to the
.I fd
file descriptor.
.P
The filter context
.I ctx
is the value returned by the call to
.BR seccomp_init (3).
.P
While the two output formats are guaranteed to be functionally equivalent for
the given seccomp filter configuration, the filter instructions, and their
ordering, are not guaranteed to be the same in both the BPF and PFC formats.
.P
The
.BR seccomp_export_bpf_mem ()
function is largely the same as
.BR seccomp_export_bpf (),
but instead of writing to a file descriptor, the program will be written to the
.I buf
pointer provided by the caller.  The
.I len
argument must be initialized with the size of the
.I buf
buffer.  If the program was valid,
.I len
will be updated with its size in bytes.  If
.I buf
was too small to hold the program,
.I len
can be consulted to determine the required size.  Passing a NULL
.I buf
may also be used to query the required size ahead of time.
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
Return zero on success or one of the following error codes on
failure:
.TP
.B -ECANCELED
There was a system failure beyond the control of the library.
.TP
.B -EFAULT
Internal libseccomp failure.
.TP
.B -EINVAL
Invalid input, either the context or architecture token is invalid.
.TP
.B -ENOMEM
The library was unable to allocate enough memory.
.TP
.B -ERANGE
The provided buffer was too small.
.P
If the \fISCMP_FLTATR_API_SYSRAWRC\fP filter attribute is non-zero then
additional error codes may be returned to the caller; these additional error
codes are the negative \fIerrno\fP values returned by the system.  Unfortunately
libseccomp can make no guarantees about these return values.
.\" //////////////////////////////////////////////////////////////////////////
.SH EXAMPLES
.\" //////////////////////////////////////////////////////////////////////////
.nf
#include <seccomp.h>

int main(int argc, char *argv[])
{
	int rc = \-1;
	scmp_filter_ctx ctx;
	int filter_fd;

	ctx = seccomp_init(SCMP_ACT_KILL);
	if (ctx == NULL)
		goto out;

	/* ... */

	filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
	if (filter_fd == \-1) {
		rc = \-errno;
		goto out;
	}

	rc = seccomp_export_bpf(ctx, filter_fd);
	if (rc < 0) {
		close(filter_fd);
		goto out;
	}
	close(filter_fd);

	/* ... */

out:
	seccomp_release(ctx);
	return \-rc;
}
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH NOTES
.\" //////////////////////////////////////////////////////////////////////////
.P
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
.P
The libseccomp project site, with more information and the source code
repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
as well as the libseccomp library, is currently under development, please
report any bugs at the project site or directly to the author.
.\" //////////////////////////////////////////////////////////////////////////
.SH AUTHOR
.\" //////////////////////////////////////////////////////////////////////////
Paul Moore <paul@paul-moore.com>
.\" //////////////////////////////////////////////////////////////////////////
.SH SEE ALSO
.\" //////////////////////////////////////////////////////////////////////////
.BR seccomp_init (3),
.BR seccomp_release (3)

